Android malware writers exploit Instagram craze to distribute SMS Trojan

In an attempt to take advantage of the popularity of free photo-sharing app Instagram among smartphone users, malware writers have created fake Instagram websites to distribute Android Trojan horses, according to security researchers from antivirus firms Sophos and Trend Micro.

Originally developed for Apple’s iOS devices, Instagram allows smartphone users to take photos, apply various digital filters to them and share the resulting images on social networking websites. There are over 30 million registered Instagram accounts as of April 2012, according to its creators.

[ Also on InfoWorld: Twitterverse in uproar over Facebook’s $1B Instagram buy. | Learn how to secure your systems with InfoWorld’s Malware Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

At the beginning of April, an Android version of the app was released on Google Play and it was downloaded more than one million times during the first 12 hours.

The company that developed Instagram was acquired by Facebook for almost $1 billion on April 12, which attracted the attention of the media and, as it usually happens with popular events, that of cybercriminals.

“We discovered a spoofed web page containing a rogue version of Instagram,” Trend Micro fraud analyst Karla Agregado said in a blog post on Tuesday. “The said web page mimics Instagram‘s legitimate download page.”

The fake Instagram website contains text in Russian and distributes an Android Trojan horse that, once installed, sends SMS messages to premium-rate numbers without the phone owner’s authorization, said Graham Cluley, senior technology consultant at Sophos, in a blog post on Wednesday.

The rogue app’s installer, also called the APK, contains several pictures of a man that has been the subject of a photobomb-type meme in Russia. A large number of random images with this man’s picture digitally added into them can be found on Russian websites.

It’s not clear why the creators of this Android malware decided to include this photo into the malicious APK, but it isn’t the first time this has been done. In February, security researchers from Symantec reported about server-side polymorphic Android malware that contained the same picture.

“It’s quite likely that whoever is behind this latest malware campaign is also using the names and images of other popular smartphone apps as bait,” Cluley said.

Last week, security researchers from Sophos reported about a similar piece of Android malware that masqueraded as the new Angry Birds Space game in order to trick users into installing it on their phones.

Trend Micro researchers have seen several fake websites during the past few days that masquerade as download pages for popular games like Fruit Ninja, Temple Run or Talking Tom Cat, Agregado said. “Users are advised to remain cautious before downloading Android apps, specially those hosted on third-party app stores.”